Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Boosting damage, looking for new ideas

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
John0
How do I cheat?
Reputation: 0

Joined: 21 Oct 2014
Posts: 5

PostPosted: Tue Oct 21, 2014 7:14 am    Post subject: Boosting damage, looking for new ideas Reply with quote

Hi !
The game is a mod for d1 called belzebub, and I am trying to boost my dommage. The game has a lot of anti cheat mechanisms since last patch, it is not at all like d1 original.

I have found something, but it is impractical to use and I am looking for advices on where to go.

Here is what I do :
-Shoot an arrow, get 942 dmg, pause, go to CE and scan for 942, get 10~15 results.
-Shoot an arrow, get 964 dmg, pause, go to CE and scan next for 964, if I am lucky I found one address.

Now I change the value of this address to say 150000. It will work, sometimes : because the dmg I deal is within a range (for ex 250-500), if I shoot 10 arrows I will get maybe 6 or 7 different numbers=6 or 7 of these temporary addresses...that is,on the same monster, which has a fixed amount of armor. If the monster is different, then other of these temporary addresses will be created. There are too many monsters, too many possible dommage output, considering monster armor, critical dommage, etc, so changing them all is impossible. Besides all the adresses are changed if I change the level i'm playing at.

Now I am thinking, maybe if I can find the assembly code that use those addresses, I can add there an instruction which add or substract dmg. So I try like in the tutorial, "find out what writes to this address", and there are two instructions that writes to this address :
Code:

013BECFB - 89 88 94000000  - mov [eax+00000094],ecx
013BED01 - 89 88 90000000  - mov [eax+00000090],ecx
013BED07 - 89 88 8C000000  - mov [eax+0000008C],ecx <<
013BED0D - 89 88 A5000000  - mov [eax+000000A5],ecx
013BED13 - 88 88 A4000000  - mov [eax+000000A4],cl

EAX=08F48C00
EBX=0000020D
ECX=00000000
EDX=00000100
ESI=00000000
EDI=0000021B
ESP=0032F884
EBP=0032F898
EIP=013BED0D


013C295F - 57 - push edi
013C2960 - 8D 7B 6C  - lea edi,[ebx+6C]
013C2963 - B9 13000000 - mov ecx,00000013 <<
013C2968 - F3 A5 - repe movsd
013C296A - DD 02  - fld qword ptr [edx]

EAX=00424078
EBX=08F48C00
ECX=0000000A
EDX=0032F928
ESI=0032F9B4
EDI=08F48C90
ESP=0032F868
EBP=0032F884
EIP=013C2968


So there I tried like in the tutorial: show disassembler->ctrl+a->template code injection. The instruction is :
mov [eax+0000008C],ecx
I changed it to :
add ecx,500
mov [eax+0000008C],ecx
But of course it doesn't work. I tried many different numbers, each time quitting and relaunching the game, but no success. When the number is too high the game crashes.

From there I am out of ideas ! Maybe it is not possible to use these addresses in a practical way? Or the way I approach the problem is wrong ?

I though of other ways of increasing dommage, which works in original game, but not here :
-to put like 500 points to distribute
doesn't work, even though I found the right address : the game checks if at lvl say 30 you shouldn't have more than 150 points, and if you have it resets everything.

-modify item
the player saves are protected. Even though I think it is not heavy encryption (because I notice patterns for empty spaces in stash) there is definitely something like a xoring operation on the file, also there is a form of checksum but md5?sha1? I couldn't find and it is too time consuming.
Otherwise, you can't act on the items themselves, there are no munitions, so I don't know how to detect them with CE.


So now I am looking for advices from more experiences cheaters on how to handle this problem !
Thanks in advance for any help Smile
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Oct 21, 2014 12:11 pm    Post subject: Reply with quote

You may be able to find it with that approach (searching for damage amount), or you may have to find enemy health. You should be able to backtrace from the instruction that writes to your enemy health or writes the damage value on-screen etc..

In Castlevania: Lords of Shadow 2, I was able to find the instruction that wrote the damage value just before the enemy took damage. I don't remember if I found this area of code by searching for damage value or enemy health. Each game is different. Once you have found it, you should only have to make a minor change and it should influence all damage values to enemy players. If the instruction handles damage for hero player, also, then you'll have to filter it out.

If it helps, the routine for enemy damage in Castlevania was this:

Code:
fsub dword ptr [ebp-74]


So, just moving a large value in to [ebp-74] did the trick:

Code:
mov [ebp-74],(float)999.0


To avoid crashing and to ensure that the code will work, be sure to set the data type correctly (in this case, float), and, be sure not to set the value too high (test with really low values and increase from there).
Back to top
View user's profile Send private message
John0
How do I cheat?
Reputation: 0

Joined: 21 Oct 2014
Posts: 5

PostPosted: Tue Oct 21, 2014 3:50 pm    Post subject: Reply with quote

Quote:

You should be able to backtrace from the instruction that writes to your enemy health or writes the damage value on-screen etc..

It is what I am trying to do, the address I got is written on by two instructions :
Code:

013BED07 - 89 88 8C000000  - mov [eax+0000008C],ecx <<

and then
Code:

013C2963 - B9 13000000 - mov ecx,00000013 <<


But modifying them didn't work. For example I replaced
Code:

mov [eax+0000008C],ecx

with
Code:

mov [ecx],999
mov [eax+0000008C],ecx

But it didn't do anything.
Then how do I go from there to an instruction that actually makes a substraction like in your example? Should I look in the assembly code around the 2 instructions I have? Sorry if my questions are dumb but I am still a beginner and I don't all the function in CE
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Tue Oct 21, 2014 5:53 pm    Post subject: Reply with quote

If this doesn't work, then you may not have found the correct code/location:
Code:
mov [eax+0000008C],(float)99.0



Code:
Then how do I go from there to an instruction that actually makes a substraction like in your example? Should I look in the assembly code around the 2 instructions I have?
-Yes, assuming you have the correct code/location. Just look above the instruction(s) and do some testing.
Back to top
View user's profile Send private message
John0
How do I cheat?
Reputation: 0

Joined: 21 Oct 2014
Posts: 5

PostPosted: Sun Oct 26, 2014 11:14 am    Post subject: Reply with quote

Thx for the answer. Unfortunately it didn't work, it doesn't appear to change anything.

I did some digging and I used the "find out what addresses this instruction accesses" from the disassembler on this mov instruction, and yet I find that all my dammage is written under many variables from this instruction. If I use the multi shot skill I will have 15 or 20 variables that I see that this instruction has changed, all with the correct dammage.

Around this mov instruction in the disassembler there are maybe 10 other mov instruction, such as :
Code:

mov [eax+000000A0],ecx
mov [eax+0000009C],ecx
mov [eax+00000098],ecx
...

all separated by 4 bytes. I tried to change them all like in your example but that didn't work either.

To be sure we are talking about the same thing here is what I exaclty did :
- in the disassembler I click on the mov instruction and do ctrl+a like in turorial
- template>code injection>ok
-in "newmem:" section I put your instruction and change nothing else.


I also tried the "break and trace instructions" and looked for "add" or "sub" commands but didn't find any.

Finally that mov command is definitely involved in the damage and not display because as I said in first post if I change it it will work sometimes (if one arrow does 1542, I change to 50000, next arrow does 1564 for ex, then if next again does 1542 it will be changed to 50000).

I hit a wall now I don't know where to go next, but thanks for insight anyway.
Is it even sure that there is a variable in all this that I can change to boost damage? Or is it possible that there is a protection mechanism in source code that makes it impossible to cheat?
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Oct 26, 2014 1:14 pm    Post subject: Reply with quote

John0 wrote:
To be sure we are talking about the same thing here is what I exaclty did :
- in the disassembler I click on the mov instruction and do ctrl+a like in turorial
- template>code injection>ok
-in "newmem:" section I put your instruction and change nothing else.
-Probably better to just paste your entire script here so that we can see it.

John0 wrote:
Finally that mov command is definitely involved in the damage and not display because as I said in first post if I change it it will work sometimes (if one arrow does 1542, I change to 50000, next arrow does 1564 for ex, then if next again does 1542 it will be changed to 50000).
-I don't quite follow what you're saying. However, if you are correct, then you should be able to manipulate the damage value fairly easily.

John0 wrote:

Is it even sure that there is a variable in all this that I can change to boost damage? Or is it possible that there is a protection mechanism in source code that makes it impossible to cheat?
-Yes, there is probably a way to alter the damage value for every instance. Regarding a protection mechanism - yes, that is possible, always...more so with online games. If this is an offline game, it is not as likely to be protected.
Back to top
View user's profile Send private message
John0
How do I cheat?
Reputation: 0

Joined: 21 Oct 2014
Posts: 5

PostPosted: Sun Oct 26, 2014 3:05 pm    Post subject: Reply with quote

Ok here is the script :
Code:

alloc(newmem,2048)
label(returnhere)
label(originalcode)

newmem:
mov [eax+0000008C],(float)99.0

originalcode:
mov [eax+0000008C],ecx

exit:
jmp returnhere

"Belzebub.exe"+11ED07
jmp newmem
nop
returnhere:


I've tried without float, bigger values, enormous values, but the damageis not changed.


Quote:

-I don't quite follow what you're saying.


The damage I do is within a range : 356-390. So each time I shot an arrow the damage is within this range. But sometimes the same damage pops up again. The program then reuse the variable I spoted first. Ex:

371 , 388, 365, 361, 382, 371, that number again

In CE I see at address 0AD4E96C the value 371. If I change that value to 50000, each time the damage 371 is rolled up then the arrow will do 50000 damage. So if that address was just about the display value on the screen and not actual damage this wouldn't work.
It is not possible to use it this way though as I said in first post, too many damage output possible, with crit chance and different spells etc, there are dozens of variables that I see this mov instruction accesses and writes to.

It is not an online game with the server that validates values itself. So I guess it should be possible then...
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Sun Oct 26, 2014 7:04 pm    Post subject: Reply with quote

Code:

alloc(newmem,2048)
label(returnhere)
label(originalcode)

newmem:
mov [eax+0000008C],(float)99.0

originalcode:
mov [eax+0000008C],ecx  ////////You must remove this line.

exit:
jmp returnhere

"Belzebub.exe"+11ED07
jmp newmem
nop
returnhere:
Back to top
View user's profile Send private message
John0
How do I cheat?
Reputation: 0

Joined: 21 Oct 2014
Posts: 5

PostPosted: Sat Nov 01, 2014 9:42 am    Post subject: Reply with quote

Ok this didn't work so I guess this wasn't the right instruction in the end.
I managed to find another way to influence damage though by editing items, so all is good.

Thanks for you help Smile
Back to top
View user's profile Send private message
rusudanut
How do I cheat?
Reputation: 0

Joined: 21 Jul 2016
Posts: 5

PostPosted: Sat Jul 23, 2016 11:17 am    Post subject: Reply with quote

interesting, how can you edit items?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites